The volume of cyber threats to mobile computing devices continues to increase as new applications and devices proliferate. McAfee reports that there were more than two million new mobile malware samples in 2013. Symantec reports that nearly 40% of mobile device users have experienced mobile cyber crime in the past 12 months. Some experts estimate that nearly 10% of applications sold on particular platforms are malicious. Most mobile malware gets installed when a user visits an infected website or downloads a malicious application, or clicks on a link or an attachment.
How can you protect yourself? Here’are some helpful tips for keeping the information on your mobile device safe.
- Lock the device
An easy way for malware to get on a device is for someone to manually install it. Locking your device with a strong PIN/password makes unauthorized installation of applications more difficult.
- Install applications from trusted sources
Users must recognize that some applications may be malicious. If an app is requesting more permissions than seems necessary, do not install it, or uninstall the application. Only install applications from trusted sources.
- Don’t jailbreak your device
To “jailbreak” or to “root” a device means to bypass important controls and gain full access to the operating system. Doing this will usually void the warranty and can create security risks. This also enables applications, including malicious ones, to bypass controls and access the data owned by other apps.
- Keep operating systems and apps up-to-date
Manufacturers, telecommunications providers, and software providers regularly update their software to fix vulnerabilities. Make sure your device’s operating system and apps are regularly updated and running the most recent versions.
- Use a mobile security software solution
Install antivirus software, if available.
- Block web ads and/or don’t click on them
Malware can find it’s way onto your mobile device through a variety of methods, including advertisements. The malicious advertisements are called “malvertisements.” Mobile ads accompany a significant amount of content found in mobile applications. Whether you find them annoying or amusing, cyber criminals have turned their attention toward using them to spread malware to unsuspecting users. What makes these “malvertisements” so dangerous is the fact that they are often delivered through legitimate ad networks and may not appear outright spam, but can contain Trojans or lead to malicious websites when clicked on. Some mobile devices have software that can block harmful sites.
- Don’t click suspicious links and attachments
While it may be difficult to spot some phishing attempts, it’s important to be cautious about all communications you receive, including those purported to be from “trusted entities”. Be careful when clicking on links or attachments contained within those messages.
- Disable unwanted services/calling
Capabilities such as Bluetooth and NFC can provide ease and convenience in using your smartphone. They can also provide an easy way for a nearby, unauthorized user to gain access to your data. Turn these features off when they are not required.
- Don’t use public Wi-Fi
Many smartphone users use free Wi-Fi hotspots to access data (and keep their phone plan costs down). Smartphones are susceptible to malware and hacking when leveraging unsecured public networks. To be safe, avoid logging into accounts, especially financial accounts, when using public wireless networks.
We are aware of the concerns surrounding the “Heartbleed Bug” (OpenSSL vulnerability).
Please be aware that our web site uses web servers, which are not affected by the Heartbleed Bug. Our technology personnel have been assessing all systems to determine if there are any other known vulnerabilities, and will continue to review those until we are confident we have covered all areas of concern.
If any vulnerabilities are identified, and action needs to be taken, we will notify customers immediately.
Customers have reported receiving telephone calls regarding Government Grant Scams. As usual, we like to let you know when a specific type of scam is popular, so you can be better prepared to avoid these situations yourself.
The scammer will say something like, “Because you pay your income taxes on time, you have been awarded a free $12,500 government grant! To get your grant, simply give us your checking account information, and we will direct-deposit the grant into your bank account!”
This is fraud, plain and simple. For more information on Goverment Grant Scams visit the FTC’s website at http://www.consumer.ftc.gov/articles/0113-government-grant-scams#.UwT_r-ulg0k.email
We’ve had several reports that customers are receiving automated telephone calls from a restricted number. The call informs the customer that there has been fraud on their account, to continue press 4 (or another number). These are phishing calls designed to get customers to provide account information. Please do not provide account information if this happens. Contact your local branch with questions or concerns.
There have been daily news stories about the Target data breach and how it may affect shoppers. This is a great time for scammers to send out phony emails from Target pretending to help. What they are really trying to do is to trick you into giving them your personal information.
If you get an email that says it is from Target, look for the following to make sure you don’t get scammed.
- If any email asks for your personal or financial information, it is most likely a scam.
- If you receive an email that asks for your debit or credit card number, do not reply. No legitimate business will ask for your personal information through unsecure methods like email.
- If there are links in the email, do not click on them.
- Scammers create links and sites that look like the real deal. These phony sites can install viruses to your computer or direct you to spoof sites that exist to steal your information. Hovering over a link can reveal a deliberately misspelled web address, or a completely different destination. To be safe, you should typed the URL directly into your browser.
- Be aware that scammers may send emails promising a free gift card, a new tablet or computer, or even a job in exchange for your personal information. Remember, if it sounds too good to be true, it probably is too good to be true.
We want to make everyone aware that we have had a report of a gentleman named “Greg Stockholm” calling Central National Bank customers. He starts out the conversation asking if the customer has received a letter from Central National Bank regarding corporate security. He then tells the customer that he wants to have a conversation about his company’s security issues.
Be advised that this is a scam.
If you receive a call concerning this, please DO NOT give the criminal any information.
The FBI is aware of a new type of malware known as Beta Bot. Cyber criminals use Beta Bot to target financial institutions, e-commerce sites, online payment platforms, and social networking sites to steal sensitive data such as log-in credentials and financial information. Beta Bot blocks computer users’ access to security websites and disables anti-virus programs, leaving computers vulnerable to compromise.
Beta Bot infection vectors include an illegitimate but official looking Microsoft Windows message box named “User Account Control” that requests a user’s permission to allow the “Windows Command Processor” to modify the user’s computer settings. If the user complies with the request, the hackers are able to exfiltrate data from the computer. Beta Bot is also spread via USB thumb drives or online via Skype, where it redirects the user to compromised websites.
Figure 1, Beta Bot “Windows Command Process” message box
Although Beta Box masquerades as the “User Account Control” message box, it is also able to perform modifications to a user’s computer. If the above pop-up message or a similar prompt appears on your computer and you did not request it or are not making modifications to your system’s configuration, do not authorize “Windows Command Processor” to make any changes.
Remediation strategies for Beta Bot infection include running a full system scan with up-to-date anti-virus software on the infected computer. If Beta Bot blocks access to security sites, download the latest anti-virus updates or a whole new anti-virus program onto an uninfected computer, save it to a USB drive and load and run it on the infected computer. It is advisable to subsequently re-format the USB drive to remove any traces of the malware.
Fictitious correspondence, allegedly issued by the Office of the Comptroller of the Currency (OCC) regarding funds purportedly under the control of the OCC and other government entities, is in circulation. Correspondence may be distributed via e-mail, fax, or postal mail.
Any document claiming that the OCC is involved in holding any funds for the benefit of any individual or entity is fraudulent. The OCC does not participate in the transfer of funds for, or on behalf of, individuals, business enterprises, or governmental entities.
The letters may indicate that funds are being held by Bank of America and that the recipient will be required to pay a mandatory express service charge to have the funds released.
A sample copy of this fraudulent correspondence can be found here, which is being sent to consumers in an attempt to elicit funds from them and to gather personal information to be used in possible future identification theft.
The correspondence in question contains forged signatures of former OCC officials. In addition, the material contains a fictitious e-mail address that is not associated with the OCC.
Before responding in any manner to any proposal supposedly issued by the OCC that requests personal information or personal account information or that requires the payment of any fee in connection with the proposal, the recipient should take steps to verify that the proposal is legitimate. At a minimum, the OCC recommends that consumers
- contact the OCC directly to verify the legitimacy of the proposal (1) via e-mail at firstname.lastname@example.org; (2) by mail to the OCC’s Special Supervision Division, 250 E St. SW, Mail Stop 8E-12, Washington, D.C. 20219; (3) via fax to (571) 293-4925; or (4) by calling the Special Supervision Division at (202) 649-6450.
- contact state or local law enforcement.
- file a complaint with the Internet Crime Complaint Center at www.ic3.gov if the proposal appears to be fraudulent and was received via e-mail or the Internet.
- file a complaint with the U.S. Postal Inspection Service by telephone at (888) 877 7644; by mail at U.S. Postal Inspection Service, 222 S. Riverside Plaza, Suite 1250, Chicago, IL 60606-6100; or via the online complaint form at https://postalinspectors.uspis.gov/forms/MailFraudComplaint.aspx, if the proposal appears to be fraudulent and was delivered through the U.S. Postal Service.
Any information regarding the subject of this or any other alert that you wish to bring to the attention of the OCC may be sent to email@example.com.
We have received reports of phone calls from an unknown telephone number in which an automated message claims that the customer’s debit card has been deactivated, and they are instructed to enter their card number in order to reactivate the card. This is a vishing scam, and customers are advised to hang up the phone immediately. Central National Bank does not use automated messages to contact customers about their accounts. If you have any questions, please call us at 1-888-262-5456.
The Office of the Comptroller of the Currency yesterday issued an alert about fraudulent letters — distributed via email, fax, or postal mail — involving funds purportedly under the control of the OCC and other government entities.
“The letters may indicate that funds are being held by the Halifax Bank, London, England, and that the recipient will be required to pay a mandatory express service charge to have the funds released,” the OCC said. The letters are “being sent to consumers in an attempt to elicit funds from them and to gather personal information to be used in possible future identification theft.”
The letters also contain forged signatures of former OCC officials and a fictitious email address. The agency emphasized that any document claiming that the OCC is involved in holding any funds for the benefit of an individual or entity is fraudulent. “The [agency] does not participate in the transfer of funds for, or on behalf of, individuals, business enterprises or governmental entities,” the OCC said.
Read the OCC alert
View an example of the fraudulent letters